CVE-2023-1097 - OpenCVE

Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Baicells	Eg7035-m11 Firmware Eg7035-m11

Configuration 1 [-]

AND

cpe:2.3:o:baicells:eg7035-m11_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:baicells:eg7035-m11:-:*:*:*:*:*:*:*

References

Link	Resource
https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756	Release Notes
https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Baicells

Published: 2023-03-01T19:29:26.456Z

Updated: 2023-03-01T19:29:26.456Z

Reserved: 2023-02-28T17:35:19.554Z

Link: CVE-2023-1097

JSON object: View

NVD Information

Status : Modified

Published: 2023-03-01T20:15:11.073

Modified: 2023-11-07T04:02:29.747

Link: CVE-2023-1097

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-1097", "assignerOrgId": "084566ad-deee-4e89-acff-6b7b1bf9d4b7", "state": "PUBLISHED", "assignerShortName": "Baicells", "dateReserved": "2023-02-28T17:35:19.554Z", "datePublished": "2023-03-01T19:29:26.456Z", "dateUpdated": "2023-03-01T19:29:26.456Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["BCE"], "product": "EG7035-M11", "vendor": "Baicells", "versions": [{"changes": [{"at": "BaiCE_BM_2.5.26", "status": "unaffected"}], "lessThanOrEqual": " BCE-ODU-1.0.8", "status": "affected", "version": "0", "versionType": "patch"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "CPE would need to be configured and running on BCE-ODU-1.0.8 firmware and older along with being accessible on the internal network or public network. If the Web interface is enabled it will allow users to exploit using the above method. "}], "value": "CPE would need to be configured and running on BCE-ODU-1.0.8 firmware and older along with being accessible on the internal network or public network. If the Web interface is enabled it will allow users to exploit using the above method. "}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Lionel Musonza"}, {"lang": "en", "type": "remediation developer", "user": "00000000-0000-4000-9000-000000000000", "value": "Baicells Security Team"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p><span style=\"background-color: rgb(255, 255, 255);\">Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery.<br></span><br><br></p><br>"}], "value": "Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery.\n\n\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-108", "descriptions": [{"lang": "en", "value": "CAPEC-108 Command Line Execution through SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": " CWE-94: Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "084566ad-deee-4e89-acff-6b7b1bf9d4b7", "shortName": "Baicells", "dateUpdated": "2023-03-01T19:29:26.456Z"}, "references": [{"tags": ["patch", "release-notes"], "url": "https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756"}, {"tags": ["patch"], "url": "https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Baicells recommends that all customers currently running an earlier version of BCE-ODU-1.0.8 upgrade their product to the BaiCE_BM_2.5.26 firmware.</p><br>"}], "value": "Baicells recommends that all customers currently running an earlier version of BCE-ODU-1.0.8 upgrade\u00a0their product to the BaiCE_BM_2.5.26\u00a0firmware.\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Unauthenticated Command Injection EG7035-M11 Series", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:baicells:eg7035-m11_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "36273B84-D85D-43E1-92E2-B30F5C68E989", "versionEndIncluding": "bce-odu-1.0.8", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:baicells:eg7035-m11:-:*:*:*:*:*:*:*", "matchCriteriaId": "3EA6185C-6193-4821-823C-7C6BF54208B9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party analyst and have been confirmed exploitable special thanks to Lionel Musonza for the discovery.\n\n\n\n\n\n"}], "id": "CVE-2023-1097", "lastModified": "2023-11-07T04:02:29.747", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 6.0, "source": "security@baicells.com", "type": "Secondary"}]}, "published": "2023-03-01T20:15:11.073", "references": [{"source": "security@baicells.com", "tags": ["Release Notes"], "url": "https://community.na.baicells.com/t/baice-bm-2-5-26-new-cpe-software-has-been-released/1756"}, {"source": "security@baicells.com", "tags": ["Product"], "url": "https://img.baicells.com//Upload/20220524/FILE/BaiCE_BM_2.5.26_NA.bin.bin"}], "sourceIdentifier": "security@baicells.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@baicells.com", "type": "Secondary"}]}